The online gaming industry is a relatively new industry but it is one of the most dynamic due to the continuous technological innovation. The number of households with connected games is steadily increasing; however, with the increase in popularity of the online gaming industry, there has also been an increase in cyberattacks. This raises a number of concerns with regard to the need to protect the integrity of networks and information exchanged by online gamers, which are often unaware of the cyber risks. In this respect, online gaming operators (hereinafter, referred to as “Providers”, also including, as the case may be, developers and distributors) need to adopt and implement appropriate IT security measures in compliance with European legislative standards and obligations on cybersecurity in order to prevent cyberattacks.

The legal framework: from the NIS Directive to the Cybersecurity Act

The European legislative framework on cybersecurity has recently been updated. As already discussed in our previous article European cybersecurity standards and their implementation within the Italian legislative framework, the most relevant European legislation on cybersecurity is Directive no. 2016/1148/EU (the “NIS Directive” or the “NISD”), implemented in Italy through Legislative Decree no. 65/2018. The NISD imposes a number of obligations upon operators of essential services as well as upon providers of digital services (such as Providers) with regard to the need to adopt appropriate technical and organizational measures to prevent IT incidents. In addition, such entities have an obligation to notify the competent authorities or the appointed national Cyber Security Incident Response Team (also known as CSIRT) without undue delay, in case of any incident with a substantial impact on the provision of the service.

Moreover, European institutions, in their effort to develop new strategies aimed at strengthening the security of networks and information systems, have recently approved new legislation: Regulation no. 2019/881/EU (the “Cybersecurity Act”). The Cybersecurity Act provides for a detailed EU scheme for the certification of ICT products and digital services in order to evaluate the security level of such products or services. To evaluate the cybersecurity risk of a certain product, service or process, a certificate refers to three possible levels of risk (i.e. basic, substantial, high), in light of the likelihood and severity of a potential incident. Moreover, the Cybersecurity Act strengthens the role of the European Agency for Network and Information Security (“ENISA”). Article 4 of the Cybersecurity Act clarifies – inter alia – that the ENISA shall i) be a center of expertise on cybersecurity by virtue of its independence; ii) promote the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market; and iii) promote cooperation, among EU member states, European institutions, bodies, offices and agencies, and relevant private and public stakeholders on matters related to cybersecurity.

The cybersecurity risk-based approach

As described within the previous section, Providers must comply with the cybersecurity obligations imposed by EU and national legislation. Furthermore, Providers should consider whether to adopt a “cybersecurity risk-based approach”. Such an approach implies the assessment of all cyber risks that may arise in connection to a new online game, before commercializing it. In this regard, the Cybersecurity Act’s rules on certification of ICT products and digital services encourage Providers to secure products and services from the earliest stages of design and development. This implies the implementation of tools (e.g. firewalls, two-factor authentication systems, anti-DDos software etc.), together with the adoption of an organizational structure able to duly respond in case of cyberattacks.

Data protection issues

Last but not least, Providers are also required to comply with the data protection legislation, strengthened by Regulation no. 679/2016/EU (General Data Protection Regulation, “GDPR”). By way of example, when an online game appears to be particularly risky and a large number of data are processed, Providers should consider, before starting the processing, carrying out a data protection impact assessment (DPIA), in order to lower the risks identified. On this regard, it is interesting to consider that the level of risk may also be assessed taking into account the possibility that data subjects’ personal data are likely to be transferred outside the European Economic Area (EEA), which is a common scenario for a number of Providers. In any case, players must be provided with an appropriate information notice by Providers, acting as data controllers, and they must be able to exercise their rights as data subjects (rights listed in Articles from 15 to 22 GDPR). Moreover, Providers must ensure that each processing carried out is based on a correct lawful basis pursuant to Article 6 GDPR and they must confirm that data subjects have granted their free, informed, specific and unambiguous consent, when necessary (e.g. for marketing purposes).

Towards stricter data governance?

Online gaming is certainly very exciting and most probably it will become more and more attractive, evolving in parallel with the development and the spread of new technologies and IT products. However, for online gaming to remain a successful business model and avoid reputational setbacks, cybersecurity should remain a top priority. In this regard, Providers will most likely be required to adopt data governance standards in line with other industries (e.g. finance and banking) that have traditionally been affected by cyberattacks.